Headline
CVE-2023-4752: Heap Use After Free in function ins_compl_get_exp in vim
Use After Free in GitHub repository vim/vim prior to 9.0.1858.
Description
Heap Use After Free in function ins_compl_get_exp at insexpand.c:3846
vim version
git log
commit 7193323b7796c05573f3aa89d422e848feb3a8dc (HEAD -> master, tag: v9.0.1223, origin/master, origin/HEAD)
POC
./vim -u NONE -i NONE -n -m -X -Z -e -s -S ./poc_huaf01_s.dat -c :qa!
=================================================================
==2302704==ERROR: AddressSanitizer: heap-use-after-free on address 0x625000006394 at pc 0x555555d4d2c1 bp 0x7fffffffbcc0 sp 0x7fffffffbcb0
WRITE of size 4 at 0x625000006394 thread T0
#0 0x555555d4d2c0 in ins_compl_get_exp /home/fuzz/vim/src/insexpand.c:3846
#1 0x555555d4fd14 in find_next_completion_match /home/fuzz/vim/src/insexpand.c:4058
#2 0x555555d510a5 in ins_compl_next /home/fuzz/vim/src/insexpand.c:4160
#3 0x555555d5bb23 in ins_complete /home/fuzz/vim/src/insexpand.c:5018
#4 0x5555558d1dc5 in edit /home/fuzz/vim/src/edit.c:1289
#5 0x555555f87569 in invoke_edit /home/fuzz/vim/src/normal.c:7049
#6 0x555555f870dd in nv_edit /home/fuzz/vim/src/normal.c:7019
#7 0x555555f28ab6 in normal_cmd /home/fuzz/vim/src/normal.c:938
#8 0x555555b1b122 in exec_normal /home/fuzz/vim/src/ex_docmd.c:8887
#9 0x555555b1aab7 in exec_normal_cmd /home/fuzz/vim/src/ex_docmd.c:8850
#10 0x555555b199ff in ex_normal /home/fuzz/vim/src/ex_docmd.c:8768
#11 0x555555abd90f in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2580
#12 0x555555aa5e49 in do_cmdline /home/fuzz/vim/src/ex_docmd.c:993
#13 0x55555633a827 in do_source_ext /home/fuzz/vim/src/scriptfile.c:1672
#14 0x55555633d026 in do_source /home/fuzz/vim/src/scriptfile.c:1818
#15 0x555556335719 in cmd_source /home/fuzz/vim/src/scriptfile.c:1163
#16 0x555556335872 in ex_source /home/fuzz/vim/src/scriptfile.c:1189
#17 0x555555abd90f in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2580
#18 0x555555aa5e49 in do_cmdline /home/fuzz/vim/src/ex_docmd.c:993
#19 0x555555aa1bbc in do_cmdline_cmd /home/fuzz/vim/src/ex_docmd.c:587
#20 0x555556adbcd0 in exe_commands /home/fuzz/vim/src/main.c:3146
#21 0x555556ac5d78 in vim_main2 /home/fuzz/vim/src/main.c:782
#22 0x555556ac3250 in main /home/fuzz/vim/src/main.c:433
#23 0x7ffff71f9082 in __libc_start_main ../csu/libc-start.c:308
#24 0x55555569724d in _start (/home/fuzz/vim/src/vim+0x14324d)
0x625000006394 is located 4756 bytes inside of 9424-byte region [0x625000005100,0x6250000075d0)
freed by thread T0 here:
#0 0x7ffff769040f in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:122
#1 0x555555698b50 in vim_free /home/fuzz/vim/src/alloc.c:615
#2 0x5555556ec3a1 in free_buffer /home/fuzz/vim/src/buffer.c:984
#3 0x5555556e9f36 in close_buffer /home/fuzz/vim/src/buffer.c:769
#4 0x5555556ee794 in empty_curbuf /home/fuzz/vim/src/buffer.c:1246
#5 0x5555556f1c07 in do_buffer_ext /home/fuzz/vim/src/buffer.c:1439
#6 0x5555556f5da5 in do_buffer /home/fuzz/vim/src/buffer.c:1652
#7 0x5555556f5f53 in do_bufdel /home/fuzz/vim/src/buffer.c:1686
#8 0x555555af1448 in ex_bunload /home/fuzz/vim/src/ex_docmd.c:5543
#9 0x555555abd90f in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2580
#10 0x555555aa5e49 in do_cmdline /home/fuzz/vim/src/ex_docmd.c:993
#11 0x555556722c9c in call_user_func /home/fuzz/vim/src/userfunc.c:3041
#12 0x55555672545f in call_user_func_check /home/fuzz/vim/src/userfunc.c:3203
#13 0x55555672bbf6 in call_func /home/fuzz/vim/src/userfunc.c:3759
#14 0x555556727e3b in call_callback /home/fuzz/vim/src/userfunc.c:3504
#15 0x55555653cd8f in find_tagfunc_tags /home/fuzz/vim/src/tag.c:1480
#16 0x5555565415b9 in findtags_apply_tfu /home/fuzz/vim/src/tag.c:1847
#17 0x555556552ed2 in find_tags /home/fuzz/vim/src/tag.c:3153
#18 0x555555d46a70 in get_next_tag_completion /home/fuzz/vim/src/insexpand.c:3400
#19 0x555555d4b5d2 in get_next_completion_match /home/fuzz/vim/src/insexpand.c:3715
#20 0x555555d4cbad in ins_compl_get_exp /home/fuzz/vim/src/insexpand.c:3823
#21 0x555555d4fd14 in find_next_completion_match /home/fuzz/vim/src/insexpand.c:4058
#22 0x555555d510a5 in ins_compl_next /home/fuzz/vim/src/insexpand.c:4160
#23 0x555555d5bb23 in ins_complete /home/fuzz/vim/src/insexpand.c:5018
#24 0x5555558d1dc5 in edit /home/fuzz/vim/src/edit.c:1289
#25 0x555555f87569 in invoke_edit /home/fuzz/vim/src/normal.c:7049
#26 0x555555f870dd in nv_edit /home/fuzz/vim/src/normal.c:7019
#27 0x555555f28ab6 in normal_cmd /home/fuzz/vim/src/normal.c:938
#28 0x555555b1b122 in exec_normal /home/fuzz/vim/src/ex_docmd.c:8887
#29 0x555555b1aab7 in exec_normal_cmd /home/fuzz/vim/src/ex_docmd.c:8850
previously allocated by thread T0 here:
#0 0x7ffff7690808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
#1 0x555555697ed6 in lalloc /home/fuzz/vim/src/alloc.c:246
#2 0x5555556978ce in alloc_clear /home/fuzz/vim/src/alloc.c:177
#3 0x5555556fcc86 in buflist_new /home/fuzz/vim/src/buffer.c:2156
#4 0x55555692e35a in win_alloc_firstwin /home/fuzz/vim/src/window.c:4251
#5 0x55555692da9e in win_alloc_first /home/fuzz/vim/src/window.c:4185
#6 0x555556ac6cd4 in common_init /home/fuzz/vim/src/main.c:976
#7 0x555556ac204e in main /home/fuzz/vim/src/main.c:186
#8 0x7ffff71f9082 in __libc_start_main ../csu/libc-start.c:308
SUMMARY: AddressSanitizer: heap-use-after-free /home/fuzz/vim/src/insexpand.c:3846 in ins_compl_get_exp
Shadow bytes around the buggy address:
0x0c4a7fff8c20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a7fff8c30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a7fff8c40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a7fff8c50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a7fff8c60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c4a7fff8c70: fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a7fff8c80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a7fff8c90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a7fff8ca0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a7fff8cb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a7fff8cc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==2302704==ABORTING
poc_huaf01_s.dat
Impact
This vulnerability is capable of crashing software, modify memory, and possible remote execution.
Related news
Apple Security Advisory 10-25-2023-4 - macOS Sonoma 14.1 addresses bypass, code execution, spoofing, and use-after-free vulnerabilities.
Ubuntu Security Notice 6452-1 - It was discovered that Vim could be made to divide by zero. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 23.04. It was discovered that Vim did not properly manage memory. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. It was discovered that Vim contained an arithmetic overflow. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 22.04 LTS, Ubuntu 23.04, and Ubuntu 23.10.
A logic issue was addressed with improved state management. This issue is fixed in macOS Sonoma 14.1. An attacker with knowledge of a standard user's credentials can unlock another standard user's locked screen on the same Mac.